Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
764736c493 |
23
README.md
23
README.md
@@ -34,12 +34,12 @@ The best practice is to load your configuration from **.env** file.
|
||||
```
|
||||
# .env
|
||||
...
|
||||
###> Abel_keycloak_bearer_only_adapter ###
|
||||
###> Keycloak ###
|
||||
OAUTH_KEYCLOAK_ISSUER=http://keycloak.local:8080
|
||||
OAUTH_KEYCLOAK_REALM=my_realm
|
||||
OAUTH_KEYCLOAK_CLIENT_ID=my_bearer_client
|
||||
OAUTH_KEYCLOAK_CLIENT_SECRET=my_bearer_client_secret
|
||||
###< Abel_keycloak_bearer_only_adapter ###
|
||||
###< Keycloak ###
|
||||
...
|
||||
```
|
||||
|
||||
@@ -59,7 +59,6 @@ Here is a simple configuration that restrict access to ```/api/*``` routes only
|
||||
```yaml
|
||||
# config/packages/security.yaml
|
||||
security:
|
||||
enable_authenticator_manager: true
|
||||
providers:
|
||||
keycloak_bearer_user_provider:
|
||||
id: ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User\KeycloakBearerUserProvider
|
||||
@@ -69,22 +68,16 @@ security:
|
||||
security: false
|
||||
api:
|
||||
pattern: ^/api/
|
||||
provider: keycloak_bearer_user_provider
|
||||
custom_authenticators:
|
||||
- ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator
|
||||
guard:
|
||||
provider: keycloak_bearer_user_provider
|
||||
authenticators:
|
||||
- ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator
|
||||
stateless: true
|
||||
main:
|
||||
anonymous: ~
|
||||
access_control:
|
||||
- { path: ^/api/, roles: ROLE_API }
|
||||
```
|
||||
### Keycloak configuration
|
||||
|
||||
To configure keycloak to work with this bundle, [here](./Resources/docs/keycloak-config-guide.md) is a step by step documentation for a basic configuration of keycloak.
|
||||
|
||||
### Compatibility
|
||||
|
||||
|
||||
| Bundle Version | Symfony Version |
|
||||
| ------------------------------------------------------|--------------------|
|
||||
| V1.0.1 | >=4.0.0 <5.0.0 |
|
||||
| V1.1.0 (uses old authentication systeme with guard) | >=5.0.0 <6.0.0 |
|
||||
| V1.2.0 (uses new authentication systeme) | >=5.3.0 <6.0.0 |
|
||||
|
||||
@@ -3,20 +3,207 @@
|
||||
|
||||
namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator;
|
||||
|
||||
use Symfony\Component\HttpFoundation\JsonResponse;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\JsonResponse;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
|
||||
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
||||
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
|
||||
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
|
||||
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
|
||||
use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
|
||||
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
|
||||
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
|
||||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
use Symfony\Component\Security\Core\User\UserProviderInterface;
|
||||
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
|
||||
|
||||
class KeycloakBearerAuthenticator extends AbstractAuthenticator
|
||||
class KeycloakBearerAuthenticator extends AbstractGuardAuthenticator
|
||||
{
|
||||
|
||||
/**
|
||||
* Returns a response that directs the user to authenticate.
|
||||
*
|
||||
* This is called when an anonymous request accesses a resource that
|
||||
* requires authentication. The job of this method is to return some
|
||||
* response that "helps" the user start into the authentication process.
|
||||
*
|
||||
* Examples:
|
||||
*
|
||||
* - For a form login, you might redirect to the login page
|
||||
*
|
||||
* return new RedirectResponse('/login');
|
||||
*
|
||||
* - For an API token authentication system, you return a 401 response
|
||||
*
|
||||
* return new Response('Auth header required', 401);
|
||||
*
|
||||
* @param Request $request The request that resulted in an AuthenticationException
|
||||
* @param AuthenticationException|null $authException The exception that started the authentication process
|
||||
*
|
||||
* @return JsonResponse
|
||||
*/
|
||||
public function start(Request $request, AuthenticationException $authException = null)
|
||||
{
|
||||
$data = [
|
||||
// you might translate this message
|
||||
'message' => 'Auth header required'
|
||||
];
|
||||
|
||||
return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
|
||||
}
|
||||
|
||||
/**
|
||||
* Does the authenticator support the given Request?
|
||||
*
|
||||
* If this returns false, the authenticator will be skipped.
|
||||
*
|
||||
* @param Request $request
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function supports(Request $request)
|
||||
{
|
||||
return !empty($request->headers->get('Authorization'));
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the authentication credentials from the request and return them
|
||||
* as any type (e.g. an associate array).
|
||||
*
|
||||
* Whatever value you return here will be passed to getUser() and checkCredentials()
|
||||
*
|
||||
* For example, for a form login, you might:
|
||||
*
|
||||
* return [
|
||||
* 'username' => $request->request->get('_username'),
|
||||
* 'password' => $request->request->get('_password'),
|
||||
* ];
|
||||
*
|
||||
* Or for an API token that's on a header, you might use:
|
||||
*
|
||||
* return ['api_key' => $request->headers->get('X-API-TOKEN')];
|
||||
*
|
||||
* @param Request $request
|
||||
*
|
||||
* @return mixed Any non-null value
|
||||
*
|
||||
* @throws \UnexpectedValueException If null is returned
|
||||
*/
|
||||
public function getCredentials(Request $request)
|
||||
{
|
||||
return [
|
||||
'token' => $request->headers->get('Authorization'),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* Return a UserInterface object based on the credentials.
|
||||
*
|
||||
* The *credentials* are the return value from getCredentials()
|
||||
*
|
||||
* You may throw an AuthenticationException if you wish. If you return
|
||||
* null, then a UsernameNotFoundException is thrown for you.
|
||||
*
|
||||
* @param mixed $credentials
|
||||
* @param UserProviderInterface $userProvider
|
||||
*
|
||||
* @throws AuthenticationException
|
||||
*
|
||||
* @return UserInterface|null
|
||||
*/
|
||||
public function getUser($credentials, UserProviderInterface $userProvider)
|
||||
{
|
||||
$token = $credentials['token'];
|
||||
|
||||
if (!$token) {
|
||||
throw new BadCredentialsException('Token is not present in the request headers');
|
||||
}
|
||||
|
||||
try {
|
||||
$user = $userProvider->loadUserByUsername($this->formatToken($token));
|
||||
} catch (\Exception $e) {
|
||||
throw new BadCredentialsException(sprintf('Error when introspecting the token: %s', $e->getMessage()));
|
||||
}
|
||||
|
||||
return $user;
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true if the credentials are valid.
|
||||
*
|
||||
* If any value other than true is returned, authentication will
|
||||
* fail. You may also throw an AuthenticationException if you wish
|
||||
* to cause authentication to fail.
|
||||
*
|
||||
* The *credentials* are the return value from getCredentials()
|
||||
*
|
||||
* @param mixed $credentials
|
||||
* @param UserInterface $user
|
||||
*
|
||||
* @return bool
|
||||
*
|
||||
* @throws AuthenticationException
|
||||
*/
|
||||
public function checkCredentials($credentials, UserInterface $user)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Called when authentication executed, but failed (e.g. wrong username password).
|
||||
*
|
||||
* This should return the Response sent back to the user, like a
|
||||
* RedirectResponse to the login page or a 403 response.
|
||||
*
|
||||
* If you return null, the request will continue, but the user will
|
||||
* not be authenticated. This is probably not what you want to do.
|
||||
*
|
||||
* @param Request $request
|
||||
* @param AuthenticationException $exception
|
||||
*
|
||||
* @return Response|null
|
||||
*/
|
||||
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
|
||||
{
|
||||
return new JsonResponse(['error' => $exception->getMessage()], Response::HTTP_FORBIDDEN);
|
||||
}
|
||||
|
||||
/**
|
||||
* Called when authentication executed and was successful!
|
||||
*
|
||||
* This should return the Response sent back to the user, like a
|
||||
* RedirectResponse to the last page they visited.
|
||||
*
|
||||
* If you return null, the current request will continue, and the user
|
||||
* will be authenticated. This makes sense, for example, with an API.
|
||||
*
|
||||
* @param Request $request
|
||||
* @param TokenInterface $token
|
||||
* @param string $providerKey The provider (i.e. firewall) key
|
||||
*
|
||||
* @return Response|null
|
||||
*/
|
||||
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Does this method support remember me cookies?
|
||||
*
|
||||
* Remember me cookie will be set if *all* of the following are met:
|
||||
* A) This method returns true
|
||||
* B) The remember_me key under your firewall is configured
|
||||
* C) The "remember me" functionality is activated. This is usually
|
||||
* done by having a _remember_me checkbox in your form, but
|
||||
* can be configured by the "always_remember_me" and "remember_me_parameter"
|
||||
* parameters under the "remember_me" firewall key
|
||||
* D) The onAuthenticationSuccess method returns a Response object
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function supportsRememberMe()
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $token
|
||||
* @return string
|
||||
@@ -25,38 +212,4 @@ class KeycloakBearerAuthenticator extends AbstractAuthenticator
|
||||
{
|
||||
return trim(preg_replace('/^(?:\s+)?[B-b]earer\s/', '', $token));
|
||||
}
|
||||
|
||||
public function supports(Request $request): ?bool
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
public function authenticate(Request $request): PassportInterface
|
||||
{
|
||||
$token = $request->headers->get('Authorization');
|
||||
if (null === $token || empty($token)) {
|
||||
// The token header was empty, authentication fails with HTTP Status
|
||||
// Code 401 "Unauthorized"
|
||||
throw new CustomUserMessageAuthenticationException('Token is not present in the request headers');
|
||||
}
|
||||
|
||||
return new SelfValidatingPassport(new UserBadge($this->formatToken($token)));
|
||||
}
|
||||
|
||||
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
|
||||
{
|
||||
$data = [
|
||||
// you may want to customize or obfuscate the message first
|
||||
'message' => strtr($exception->getMessageKey(), $exception->getMessageData())
|
||||
// or to translate this message
|
||||
// $this->translator->trans($exception->getMessageKey(), $exception->getMessageData())
|
||||
];
|
||||
|
||||
return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -245,14 +245,6 @@ class KeycloakBearerUser implements UserInterface, \Serializable
|
||||
return $this->preferred_username;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getUserIdentifier(): string
|
||||
{
|
||||
return $this->preferred_username;
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes sensitive data from the user.
|
||||
*
|
||||
|
||||
@@ -5,15 +5,13 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
|
||||
|
||||
|
||||
use GuzzleHttp\Client;
|
||||
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
|
||||
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
|
||||
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
|
||||
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
|
||||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
use Symfony\Component\Security\Core\User\UserProviderInterface;
|
||||
|
||||
|
||||
class KeycloakBearerUserProvider implements UserProviderInterface{
|
||||
|
||||
class KeycloakBearerUserProvider implements UserProviderInterface
|
||||
{
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
@@ -52,55 +50,24 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
|
||||
}
|
||||
|
||||
/**
|
||||
* Refreshes the user after being reloaded from the session.
|
||||
* Loads the user for the given username.
|
||||
*
|
||||
* When a user is logged in, at the beginning of each request, the
|
||||
* User object is loaded from the session and then this method is
|
||||
* called. Your job is to make sure the user's data is still fresh by,
|
||||
* for example, re-querying for fresh User data.
|
||||
* This method must throw UsernameNotFoundException if the user is not
|
||||
* found.
|
||||
*
|
||||
* If your firewall is "stateless: true" (for a pure API, which is our case), this
|
||||
* method is not called. But it is implement it anyway.
|
||||
* @param string $accessToken The username
|
||||
*
|
||||
* @return UserInterface
|
||||
*
|
||||
* @throws UsernameNotFoundException if the user is not found
|
||||
*/
|
||||
public function refreshUser(UserInterface $user): UserInterface
|
||||
{
|
||||
if (!$user instanceof KeycloakBearerUser) {
|
||||
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
|
||||
}
|
||||
|
||||
$user = $this->loadUserByIdentifier($user->getAccessToken());
|
||||
|
||||
if (!$user) {
|
||||
throw new UserNotFoundException();
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $class
|
||||
* @return bool
|
||||
*/
|
||||
public function supportsClass(string $class)
|
||||
{
|
||||
return KeycloakBearerUser::class === $class || is_subclass_of(KeycloakBearerUser, User::class);
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* @param string $accessToken
|
||||
* @return UserInterface
|
||||
*/
|
||||
public function loadUserByIdentifier(string $accessToken): UserInterface
|
||||
public function loadUserByUsername($accessToken)
|
||||
{
|
||||
$client = new Client([
|
||||
'base_uri' => $this->issuer,
|
||||
]);
|
||||
|
||||
$response = $client->post('/auth/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
|
||||
$response = $client->post('/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
|
||||
'auth' => [$this->client_id, $this->client_secret],
|
||||
'form_params' => [
|
||||
'token' => $accessToken,
|
||||
@@ -116,11 +83,11 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
|
||||
$jwt = json_decode($response->getBody(), true);
|
||||
|
||||
if (!$jwt['active']) {
|
||||
throw new CustomUserMessageAuthenticationException('The token does not exist or is not valid anymore');
|
||||
throw new \UnexpectedValueException('The token does not exist or is not valid anymore');
|
||||
}
|
||||
|
||||
if (!isset($jwt['resource_access'][$this->client_id])) {
|
||||
throw new CustomUserMessageAuthenticationException('The token does not have the necessary permissions!');
|
||||
throw new \UnexpectedValueException('The token does not have the necessary permissions!');
|
||||
}
|
||||
|
||||
return new KeycloakBearerUser(
|
||||
@@ -136,11 +103,42 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $username
|
||||
* Refreshes the user.
|
||||
*
|
||||
* It is up to the implementation to decide if the user data should be
|
||||
* totally reloaded (e.g. from the database), or if the UserInterface
|
||||
* object can just be merged into some internal array of users / identity
|
||||
* map.
|
||||
*
|
||||
* @return UserInterface
|
||||
*
|
||||
* @throws UnsupportedUserException if the user is not supported
|
||||
* @throws UsernameNotFoundException if the user is not found
|
||||
*/
|
||||
public function loadUserByUsername(string $username): UserInterface
|
||||
public function refreshUser(UserInterface $user)
|
||||
{
|
||||
return $this->loadUserByIdentifier($username);
|
||||
if (!$user instanceof KeycloakBearerUser) {
|
||||
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
|
||||
}
|
||||
|
||||
$user = $this->loadUserByUsername($user->getAccessToken());
|
||||
|
||||
if (!$user) {
|
||||
throw new UsernameNotFoundException();
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether this provider supports the given user class.
|
||||
*
|
||||
* @param string $class
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function supportsClass($class)
|
||||
{
|
||||
return KeycloakBearerUser::class === $class;
|
||||
}
|
||||
}
|
||||
@@ -11,11 +11,11 @@
|
||||
],
|
||||
"minimum-stability": "stable",
|
||||
"require": {
|
||||
"php": ">=7.2.5",
|
||||
"symfony/config": "^5.3",
|
||||
"symfony/dependency-injection": "^5.3",
|
||||
"symfony/http-kernel": "^5.3",
|
||||
"symfony/security-bundle": "^5.3",
|
||||
"php": "^7.2.5|^8.0",
|
||||
"symfony/config": "^5.0",
|
||||
"symfony/dependency-injection": "^5.0",
|
||||
"symfony/http-kernel": "^5.0",
|
||||
"symfony/security-bundle": "^5.0",
|
||||
"guzzlehttp/guzzle": "^6.3",
|
||||
"ext-json": "*"
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user